<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 08/11/16 17:33, Matthias Ballreich wrote:<br>
</div>
<blockquote
cite="mid:AM4PR0601MB1924B18D3B6F177B10C1AC2BFBA60@AM4PR0601MB1924.eurprd06.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p class="x_MsoNormal"><span lang="EN-US">Hi there,</span></p>
<p class="x_MsoNormal"><span lang="EN-US"> </span></p>
<p class="x_MsoNormal"><span lang="EN-US">how can i access the
Mozilla NSS (shared) Database (cert8 or cert9d.db) /
PKCS#11-Modules via OpenSSL?</span></p>
<p class="x_MsoNormal"><span lang="EN-US">I need read &
write access to the NSS User Cert Database (softokn3) and to
the Built-In Cert Database (nssckbi) under Windows.</span></p>
<p class="x_MsoNormal"><span lang="EN-US"> </span></p>
<p class="x_MsoNormal"><span lang="EN-US">I tried it with Libp11
this way:</span></p>
<p class="x_MsoNormal"><span lang="EN-US"> </span></p>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
color:black" lang="EN-US">int rc = 0;<br>
PKCS11_CTX *pkcs11_ctx;<br>
pkcs11_ctx = PKCS11_CTX_new();<br>
PKCS11_CTX_init_args(pkcs11_ctx,<br>
"configdir=''C:/Users/Username/AppData/Roaming/Mozilla/Firefox/Profiles/5wzkdcjx.default'
certPrefix='' keyPrefix='' secmod='secmod.db'");<br>
rc = PKCS11_CTX_load(pkcs11_ctx, " C:/Program Files
(x86)/Mozilla/Firefox/softokn3.dll ");<br>
printf("Desc: %s\n", pkcs11_ctx->description);<br>
if (rc)<br>
printf("Error loading Module");<br>
<br>
</span><span lang="EN-US">But it return every time “-1” which
tells me that the loading fails. So is this the right way?
Or should I use another library? Or is my code not right?</span></p>
<p class="x_MsoNormal"><span lang="EN-US">And can I edit the
Trust Settings with that or another library like with NSS
directly? Because I can’t delete the built-in certs of
nssckbi because this is read-only I can edit the
Trust-Settings for that certificate. Can I do that with
OpenSSL in combination with a library, too? Or should I
better use NSS instead of OpenSSL?</span></p>
<br>
</div>
</blockquote>
this is slightly off-topic for this mailinglist, but I'd try using
p11-kit to access the NSS device; the problem with the softokn3
pseudo-pkcs11 device is/was that it did not follow the PKCS11
standard completely - this made the softokn3 device unusable for
tools like libp11 and opensc ; however, there are links on the web
stating that p11-kit does not how to read a nssdb file, e.g.<br>
<a class="moz-txt-link-freetext" href="https://wiki.gnome.org/Projects/CryptoGlue/Integration#NSS_libsoftokn3">https://wiki.gnome.org/Projects/CryptoGlue/Integration#NSS_libsoftokn3</a><br>
<br>
and p11-kit has been ported to both mingw and cygwin.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</body>
</html>